Hacker gang claims St. Lucie County breach, tax collector says sensitive info not at risk

Wicker Perlis, Treasure Coast Newspapers
Updated ·6 min read

ST. LUCIE COUNTY — Hackers claimed responsibility Monday for an attack that took down St. Lucie County computer networks late last month, promising from their dark-web blog to soon post sensitive information.

The county tax collector, however, is assuring residents their personal information is safe.

Amid ongoing forensic investigations at the county and at the Tax Collector's Office, a notorious cyber gang has listed the tax collector's office on the dark web, according to multiple social media accounts that track ransomware activity.

The Tax Collector's Office and county first began experiencing what spokespeople called "network issues" late last month, after noticing suspicious activity within their systems. They took devices and servers offline and investigated.

While county systems are back online, the Tax Collector's Office is still experiencing issues nearly three weeks later.

Tax Collector Chris Craft said Monday that investigations have found some of his office's data was compromised but stressed that no sensitive data is stored locally.

"There has been information that was copied. People do have information," Craft confirmed. "The biggest thing that we want to stress to the public is that we don't store their sensitive data on our network."

Brett Carlow, threat analyst at cybersecurity firm Emsisoft on Monday posted a screenshot of the St. Lucie County Tax Collector's Office listing by ransomware family ALPHV, also known as BlackCat, which the FBI last year said had been responsible for more than 60 breaches in the roughly one year since it was first observed in 2021. A number of other accounts also reported the posting.

Craft said he was unaware of ALPHV posting the data, and that he was unfamiliar with that group's name in particular, but he would not be surprised if data has been posted.

"I'm not aware of anything specific that has been posted. Our people, our cybersecurity analysts that are doing the forensics on this and monitoring the dark web have not reported that to me as of yet," Craft said. "But I fully expect something will be posted."

Ctaft declined to say whether any financial demands have been made of the Tax Collector's Office.

"I don't know who that is. What I've been told, the forensics aren't complete, but we do know that there was information taken, and usually with stuff like that there typically is a demand that comes along with it," Craft said.

Carlow said he can't be sure what information ALPHV posted, as he has not opened it.

"I haven't looked at the data, nor do I plan to access it," Carlow said. "I choose not to, because I've got no reasons to further invade people's privacy more than it has been already. Potentially that data could include anything the affected agencies had."

According to a screenshot of the ALPHV dark web homepage, provided by Carlow, the information posted was the "first part listing." The site promised a "full data dump soon" with "more personal data with SSN, address, DOB, DL, W4, W9, CC."

"Their claims should obviously be viewed with a degree of skepticism," Carlow said in an email.

The types of sensitive personal information promised by ALPHV — such as Social Security numbers, driver's license numbers, tax documents and credit card information — are not stored locally, Craft stressed.

"That is stored at the state level, it is stored with our vendor and both of those sites are ironclad. They've tested them. There have been no breaches within either of those networks," Craft said.

There is a chance that some scanned documents, which could include driver's licenses, were accessed, Craft said, and if that is found to be the case, affected individuals will be notified. Generally, though, Craft believes the information taken would have been public record anyway.

"Frankly they could have gotten (that) from our website and didn't have to go through the effort of hacking our systems," Craft said.

More: Some services still offline as network issues continue for St. Lucie County, tax collector

More: St. Lucie County government website now back online after five-day network interruption

Groups such as ALPHV almost always post their illegally acquired information after ransom demands are not met, Carlow said.

"They work very much like human kidnappers," Carlow said. "Hold the data hostage, and if payment isn't made, post the data online as a warning to the next victim."

Teams of forensic investigators and cybersecurity professionals continue to look into what may have been taken, and to comb the dark web for any of it, Craft said.

There have been notable recent examples of ALPHV-claimed attacks, both in Florida and worldwide.

Last month, the gang posted information from Florida's First Judicial Circuit, the state court in North Florida. According to Pensacola News Journal, the chief judge's personal information was compromised.

Last year, ALPHV posted what it claimed was more than a terabyte of stolen information from Florida International University. The university initially denied any sensitive information had been taken, but review of the data by independent cybersecurity experts showed it included personal information of students and faculty.

Though groups may initially claim nothing was taken, Carlow said, they can be too quick to make those judgments.

"That can be like you go home and find your house burglarized. Poking your head around the door and saying, 'I see no evidence that anything was taken,'" Carlow said. "You just haven't looked fully enough."

Earlier on the same day as the tax collector post, it was reported that Michigan-based healthcare provider McLaren had sent out a letter notifying individuals it been hit, leaving about 2.2 million individuals' data exposed. One week earlier, ALPHV posted an attack on a multibillion-dollar Japanese defense contractor.

In 2021, the Martin County Tax Collector's Office was taken offline for more than five weeks after what staff called a “security incident.” An investigation involved the FBI and Florida Attorney General's Office, but one year after the system went down, officials at the Tax Collector’s Office there still refused to say what had happened.

Martin County Tax Collector Ruth Pietruszewski initially blamed BlackByte, another ransomware gang, but later walked that back after hiring a computer-security consultant, telling county IT staff the consultant “had not yet determined the exact nature of the incident.”

At the time, Carlow told TC Palm it was “reasonably likely” BlackByte was responsible after he found a message on the dark web appearing to be addressed to the tax collector. That said, BlackByte later deleted that site and its most recent versions do not mention Martin County, Carlow said last year.

Investigations are ongoing, Craft confirmed. The County Sheriff's Office is not involved in the investigation, Sheriff Ken Mascara confirmed. Officials of the Florida Department of Law enforcement did respond to requests for comment.

Carlow said it can be difficult to hold cybercriminals responsible, in part because they may be located in countries that do not extradite criminals to the U.S.

Wicker Perlis is TCPalm's Watchdog Reporter for St. Lucie County. You can reach him at wicker.perlis@tcpalm.com and 504-331-0516.

This article originally appeared on Treasure Coast Newspapers: Ransomware group claims it took sensitive information, but did it?